Global Protect and HIP configuration
We will not cover how to configure Global Protect in the article,
but we will go into how to configure HIP [Host Information Profile]. Have a HIP profile allows you to control what comes into your network with granular control. The client must first connect to the portal and pass raw data to the firewall. The firewall will check the rules you have defined under your HIP object and HIP profile. If they match the values you have defined they will be granted access to the security rule you have applied the HIP profile too.
You can tell traffic to move to different location may defining HIP profiles. imagine you have a HIP profile that states that the machine must be a Linux box in order to be allowed into this security rule. Or it must be a window and have anti-virus to access this security rule, well that is a possibility with HIP profiles.
What can we look for:
What do we need:
You can tell traffic to move to different location may defining HIP profiles. imagine you have a HIP profile that states that the machine must be a Linux box in order to be allowed into this security rule. Or it must be a window and have anti-virus to access this security rule, well that is a possibility with HIP profiles.
What can we look for:
- General information like: host-name, system version, reg paths, etc.
- Patch Management.
- Firewall
- Antivirus
- Anti-Spyware
- Disk Backup
- Disk Encryption
- Data Loss Prevention
- Mobile Devices
What do we need:
- HIP object - define the matching criteria on the client.
- HIP profile - A group of HIP object under 1 name.
In order to enable this feature, you will need the global protect subscription added to your Palo Alto Firewall.
The user will not now that they have been denied access by default, but in this example we will give the client a chance to understand why they were denied access to our system.
Let’s get into it:
Step 1.
Objects > GlobalProtect > HIP Object > Add
Step 2.
-
Add a Name to the HIP object
-
Click on “Antivirus Tab”
o
Add your vendor and product.
o
Add Real Time Protection, Product Version, etc.
§
IF you are unsure of what to add to them, please
view the troubleshoot image below.
Step 3.
Go to:
HIP Profiles > ADD
Name it: GlobalProtect Profile
Click on “add match criteria” > select “av-check”
Step 4:
you will add a HIP to following:
1.
Security Rule
2.
GlobalProtect Gateway
Security Rule:
Add the HIP to the security rule User TAB.
The rule below is an example, but add it to the direction of
flow that you like to protect with a HIP profile
GlobalProtect Gateway:
You
will now modify your external gateway to show a HIP notification. This is what
the client will see on their end, so add a nice message 😊
Your stuff should look like this:
Step 5:
Commit and move on to the client machine now.
Let’s go Test:
Connect to your external machine now.
-
Wait until your client is scanned by PaloAlto
HIP profile.
-
Depending if you fail or pass the HIP Check, you
will see one of the following.
Troubleshoot:
Step 1:
If your HIP profile is failing on the client, click on the PaloAlto
agent.
Click on “Host State” > “antivirus”
Make sure that the correct version is seen, or that your
settings from STEP 2 match what the agent is seeing. If the agent is seeing something
different then you will not authenticate correctly.
Step 2:
View the logs via Monitor > HIP match
You can see what the client is reporting back to the firewall.
Thank you,
AzNetAdmin